如何禁用 java 1.8.181 版本的端点识别
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/51449801/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to disable endpoint identification for java 1.8.181 version
提问by Aravind
When I upgraded java from 1.8.161 to 1.8.181, I am not able to connect to LDAP from my application, i get below exception when i try to login to application with a user that is active in LDAP.
当我将 java 从 1.8.161 升级到 1.8.181 时,我无法从我的应用程序连接到 LDAP,当我尝试使用在 LDAP 中处于活动状态的用户登录应用程序时,出现以下异常。
javax.naming.CommunicationException: : [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address found]
javax.naming.CommunicationException: : [根异常是 javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 找不到与 IP 地址匹配的主题替代名称]
I found the below release noteson the Oracle site for version 1.8.181
我在1.8.181 版的 Oracle 站点上找到了以下发行说明
Changes
core-libs/javax.naming ? Improve LDAP support Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property:
com.sun.jndi.ldap.object.disableEndpointIdentification.Define this system property (or set it to true) to disable endpoint identification algorithms.
变化
核心库/javax.naming ?改进 LDAP 支持 LDAPS 连接上已启用端点识别。
为了提高 LDAPS(基于 TLS 的安全 LDAP)连接的稳健性,默认情况下已启用端点识别算法。
请注意,在某些情况下,某些以前能够成功连接到 LDAPS 服务器的应用程序可能不再能够这样做。此类应用程序可以(如果它们认为合适的话)使用新的系统属性禁用端点识别:
com.sun.jndi.ldap.object.disableEndpointIdentification。定义此系统属性(或将其设置为 true)以禁用端点识别算法。
I tried to set the property to true as below along with other properties. But still it throws same error.
我尝试将属性设置为 true ,如下所示以及其他属性。但它仍然抛出同样的错误。
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, ctxFactory);
env.put(Context.PROVIDER_URL, providerUrl);
env.put(Context.SECURITY_PRINCIPAL, secPrincipal);
env.put(Context.SECURITY_AUTHENTICATION, secAuthentication);
env.put(Context.SECURITY_CREDENTIALS, secCredentials);
env.put("com.sun.jndi.ldap.object.disableEndpointIdentification" ,disableEndpointIdentification);
DirContext ldapCtx = new InitialDirContext(env);
Need your help how and where exactly we need to set the property
com.sun.jndi.ldap.object.disableEndpointIdentificationto true.
需要您的帮助,我们需要如何以及在何处将属性设置
com.sun.jndi.ldap.object.disableEndpointIdentification为 true。
There is no such constant String variable related to this in Context Interface too.
上下文接口中也没有与此相关的此类常量字符串变量。
If I revert back to java 1.8.161 version it works fine.
如果我恢复到 java 1.8.161 版本它工作正常。
回答by Vadim
doc tells about application system property and not about Ldap context environment
doc 讲述了应用程序系统属性而不是 LDAP 上下文环境
then it needs to be setup on application JVM (java command line) for the app as
那么它需要在应用程序的应用程序 JVM(java 命令行)上设置为
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
回答by wvdhaute
Add SAN for your IP Address to the certificate configured on your LDAP
将 IP 地址的 SAN 添加到 LDAP 上配置的证书
e.g. for your certificate request config (request.inf)
例如对于您的证书请求配置(request.inf)
[RequestAttributes]
SAN="ipaddress=10.233.207.65"
[Extensions]
2.5.29.17 = "{text}"
continue_ = "ipaddress=10.233.207.65"
and for the certificate generation something like
和证书生成类似
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectKeyIdentifier=hash
subjectAltName=@alt_names
[alt_names]
IP = 10.233.207.65
in the extfile configuration
在 extfile 配置中
